// the find
kunai-project/kunai
Threat-hunting tool for Linux
Kunai is an eBPF-based security monitoring tool for Linux, built with Rust and the Aya library. It hooks into kernel events — process execution, network connections, file access, DNS, io_uring, ptrace, module loading — and delivers them in chronological order with on-host correlation. It's the closest thing Linux has to Sysmon, and unlike Sysmon for Linux it's maintained actively and written in a memory-safe language.
The chronological event ordering is genuinely hard to get right with eBPF and they've solved it in userspace — most tools just emit events as they arrive and leave timestamp reconciliation to the consumer. CO-RE (Compile Once Run Everywhere) support means the same binary works across kernel versions without recompiling, which is the difference between a lab tool and something you can actually deploy at scale. Container-awareness via namespace tracking is built in, not bolted on — container-originated events carry their context through. The static MUSL build means deployment is drop-a-binary simple, no kernel module signing, no DKMS hell.
YARA integration exists but the rule management story is underdeveloped — there's no documented way to push rule updates to running instances without restarting. The detection rule language is YAML-based and expressive enough for simple IOC matching, but writing rules that correlate across multiple events (e.g., process A spawned process B which then connected to an external IP) requires understanding the internal correlation model that isn't well documented. Kernel version compatibility is the usual eBPF tax — the compatibility matrix exists but the lower bound is kernel 5.2, which will bite anyone still running older enterprise distros like RHEL 7. Community size is small (1k stars, 78 forks) and the Discord is the primary support channel, so if you hit a production edge case you're largely on your own.